|
Hi Petr,
thanks for all those clarifications!
I hope the voms-clients dependency can be fixed then,
so that we will have a lot more time to get accounting
to work purely with tokens instead...
From: Petr Vokac <Petr.Vokac@xxxxxxx>
Sent: Saturday, May 6, 2023 11:35 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>; Maarten Litmaath <Maarten.Litmaath@xxxxxxx>; James Frey <jfrey@xxxxxxxxxxx>
Cc: Steven Timm <timm@xxxxxxxx>; condor-users@xxxxxxxxxxx <condor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Missing `x509UserProxyVOName` ClassAd in Condor 10.0.3
Everybody should be already aware that HTCondor is very progressive piece of software that tries to move us in future. One should be careful with upgrades / definitely read release notes (not just for LTS but also previous feature
releases), because HTCondor is changing default configuration values:
Version 9.10.0
...
When it comes to the jobs with delegated X.509 proxy it is also necessary to add in HTCondor-CE 6 configuration "USE_VOMS_ATTRIBUTES = True".
OSG HTCondor-CE release depends on voms-clients-cpp, but non-OSG release comes with java dependency, because according SPEC file
* Wed Jul 15 2020 Mátyás Selmeci <matyas@xxxxxxxxxxx> - 4.4.1-2
- Change voms-clients-cpp requirement to voms-clients for non-OSG builds,
because voms-clients-java works equally well
To be honest this statement is not true anymore, because HTCondor-CE compiled without GSI can't really dlopen JAVA VOMS library. So in my view dependencies of non-OSG HTCondor-CE packages are broken and needs to be fixed by HTCondor-CE package maintainers.
Because LHC experiments are not as progressive as HTCondor developers I'm personally not very concerned about accounting which rely on x509UserProxyVOName, because only negligible fraction of short test jobs are submitted without delegated proxy and we don't
plan to change that in a near future. Unfortunately we have to ask all sites to configure HTCondor-CE 6 with non-default USE_VOMS_ATTRIBUTES.
Fermilab is in different position, because they are pushing tokens hard, but their gracc accounting doesn't as far as I know rely on site configuration and they should be fine even without USE_VOMS_ATTRIBUTES. Still job routing will be affected if sites don't
update configuration to rely on AuthTokenIssuer classAds instead of x509* ... actually can somebody from FNAL explain me how to route NOvA jobs submitted with tokens, because from token classAds I can't really determine individual experiments aggregated in
Fermilab VO
AuthTokenGroups = "/fermilab,/fermilab/pilot"
AuthTokenId = "https://cilogon.org/oauth2/4b43d9cf935ca4f531a4c41cfb326ee1?type=accessToken&ts=1683307232137&version=v2.0&lifetime=10800000"
AuthTokenIssuer = "https://cilogon.org/fermilab"
AuthTokenScopes = "compute.create,compute.read,compute.cancel,compute.modify"
AuthTokenSubject = "fermilabpilot@xxxxxxxx"
It is a bit unfortunate that AuthTokenGroups use just "/fermilab" while in case of x509UserProxyFirstFQAN jobs are submitted with "/fermilab/nova", it is not clear to me why Fermilab decided to use such inconsistent group configuration for tokens vs. x509.
Petr
On 5/6/23 00:10, Steven C Timm via HTCondor-users wrote:
I can assure you that this is not the case. In htcondor 10 the voms attributes are not being populated.
Steve
Hi Jaime,
with HTCondor CE v5 it appears one gets the VOMS library automatically
through dependencies: I never had to think about it...
I browsed the admin docs and could not find a mention of VOMS either:
did I manage to overlook the right place?
There’s really nothing to suggest that’s different than for HTCondor 9.0. When the schedd attempts to extract information from the job’s proxy at submission time (if provided in the input sandbox), it tries to dlopen()
the VOMS client library. If that succeeds, it uses the library to extract VOMS attributes.
- Jaime
Hi Jaime,
that is good news, thanks!
The absence of that library is not fatal then, but is there a suggestion for admins to consider installing it?
HTCondor 10.X still supports the VOMS library, which doesn’t rely on GSI, and delegation of an X.509 proxy during job submission. If a proxy file is provided for the job’s use (via the x509userproxy submit command), the VOMS attributes should be populated
in the job ad. This assumes the VOMS client library is installed on the machine.
- Jaime
Hi José,
in 10.x there is no code that looks into the VOMS extensions that an X509 proxy may have
and hence there are no variables defined anymore for the VO and the FQANs.
We will need to decide on sustainable ways for the accounting to keep working...
Hi,
if I understand correctly what I see, the classAd mentioned by Tom, "x509UserProxyVOName", is added to the jobs at the schedd level.
Picking one random job on a schedd 9.0.5, this is the submit file from the CE middleware (ARC) [1] and these are the classad of the submitted job [2].
So clearly the classAds x509* have been added by our local Schedd.
However, on a schedd 10.0.3, some of those classAds are missing [3].
I have downloaded the code from GITHUB, and a simple grep gives me the same results for the main branch and tag V9_0_5.
Also, the classAd x509UserProxyVOName is still mentioned in the documentation.
So I am quite lost as well. Why suddenly the jobs submitted from schedd 10.x are missing these classads?
Any comment/question is more than welcome.
Cheers,
Jose
[1]
[root@arc-ce04 PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm]# cat condorjob.jdl
# HTCondor job description built by arex
Executable = condorjob.sh
Input = /dev/null
Log = /var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/log
Output = /var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm.comment
Error = /var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm.comment
+NordugridQueue = "EL7"
Description = gridjob
Universe = vanilla
Notification = Never
Requirements = (NumJobStarts == 0) && ( (OpSys == "LINUX" && OpSysMajorVer >= 7) )
Priority = 0
x509userproxy = /var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/user.proxy
request_cpus = 1
request_memory=4000
+JobMemoryLimit = 4096000
should_transfer_files = YES
When_to_transfer_output = ON_EXIT_OR_EVICT
Transfer_input_files = /var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm
Periodic_remove = (JobStatus == 1 && NumJobStarts > 0) || ((ResidentSetSize isnt undefined ? ResidentSetSize : 0) > JobMemoryLimit)
Queue
[2]
[root@arc-ce04 PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm]# condor_q -l 2479042 | grep ^x509
x509userproxy = "/var/spool/arc/grid00/PG3NDmbdVE3nE6QDjqmt6UqoABFKDmABFKDmhZLKDmABFKDmpuXrkm/user.proxy"
x509UserProxyEmail = " lb.pilot@xxxxxxx"
x509UserProxyExpiration = 1683605339
x509UserProxyFirstFQAN = "/lhcb/Role=pilot/Capability=NULL"
x509UserProxyFQAN = "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=lbpilot/CN=693025/CN=Robot: LHCb pilot,/lhcb/Role=pilot/Capability=NULL,/lhcb/Role=NULL/Capability=NULL"
x509userproxysubject = "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=lbpilot/CN=693025/CN=Robot: LHCb pilot"
x509UserProxyVOName = "lhcb"
[3]
[root@arc-ce-test01 ~]# condor_history -l 605625.0 | grep ^x509
x509UserProxyEmail = " Andrea.Sciaba@xxxxxxx"
x509UserProxyExpiration = 1682927827
x509userproxy = "/var/spool/arc/grid05/ZPsKDmZFHD3n61QDjqWNiMpoABFKDmABFKDmAaFKDmAEFKDmDzgJen/user.proxy"
x509userproxysubject = "/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba"
Hi Thomas,
from Condor 10 on GSI is not supported anymore but only token authz.
Also IIRC has ATLAS recently switched Harvester submission to Condor 10
as well, so that their jobs do not get submitted anymore with X509 ads.
Probably the only option on the midterm run would be to add cases for
routes, that evaluate the Auth* ads similar as for X509 ads.
Cheers,
Thomas
On 02/05/2023 10.07, Thomas Birkett - STFC UKRI via HTCondor-users wrote:
> Hi Condor community,
>
> I hope you are all keeping well, hopefully a simple fix but I’ve
> recently upgraded our test Condor pool from 9.0.15 to 10.0.3 (LTS) and I
> notice that jobs no longer show the ClassAd “x509UserProxyVOName”. The
> following x509 classads are present when running a `condor_q -l *jobid*`
>
> x509UserProxyEmail
>
> x509UserProxyExpiration
>
> x509userproxy
>
> x509userproxysubject
>
> however, ` x509UserProxyVOName` is missing.
>
> This is a problem for us as a large proportion of our Job Transforms use
> this missing ClassAd `x509UserProxyVOName`. Downgrading to Condor
> 9.0.15, the ClassAd is then applied to new incoming jobs. Any help in
> debugging this issue would be gratefully received.
>
> Many thanks,
>
> *Thomas Birkett*
>
> Senior Systems Administrator
>
> Scientific Computing Department
>
> Science and Technology Facilities Council (STFC)
>
> Rutherford Appleton Laboratory, Chilton, Didcot
> OX11 0QX
>
> signature_609518872
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxxwith a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users
mailing list
To
unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject:
Unsubscribe
You
can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The
archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}